SitePoint Sponsor

User Tag List

Results 1 to 11 of 11

Hybrid View

  1. #1
    SitePoint Zealot
    Join Date
    Mar 2008
    Location
    Asheville, NC
    Posts
    183
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    is this a security hole?

    this looks bad to me, but it solves a lot of problems.

    basically I got files inside /app/webroot

    I got a .htaccess file, that redirects URLs to /loader.php?include_page=[whatever you type], as follows:

    RewriteEngine on
    RewriteRule ^(.*)$ loader.php?include=/$1 [QSA,L,NC]

    so, for instance, if you visit /search/foo/, apache redirects traffic to /loader.php?include=/search/foo/

    eventually (after doing lots of stuff), loader.php includes the page specified in $_GET['include'], in this way:
    include '/app/webroot' . $_GET['include']

    it looks to me like a bad security hole, but I've tried all possible values I could think of, and nothing bad happened.

    I think this doesn't allow loading external sites or system files like /etc/passwd, because the way the include is, the file must be inside /app/webroot, and whatever it's in this directory you access from the web anyway.

    am I missing something? is this bad?

    any suggestion appreciated.

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    try this value '/../../etc/passwd'
    And yes that is a very bad hole.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Guru
    Join Date
    Jul 2005
    Location
    Orlando
    Posts
    634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    try this value '/../../etc/passwd'
    And yes that is a very bad hole.
    This.

  4. #4
    SitePoint Zealot
    Join Date
    Mar 2008
    Location
    Asheville, NC
    Posts
    183
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)


    guess gotta find another way to solve other problems...

    thanks!

  5. #5
    SitePoint Zealot
    Join Date
    Mar 2008
    Location
    Asheville, NC
    Posts
    183
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ... meaning probs the include would solve

  6. #6
    Floridiot joebert's Avatar
    Join Date
    Mar 2004
    Location
    Kenneth City, FL
    Posts
    823
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What about running any paths containing data from the user through this ?

    PHP Code:
    function path_jailed($path$jail '.')
    {
        
    $path sprintf("$jail/%s"preg_replace('#^[A-Z]+:|\\+|\.+/#i''/'$path));
        return 
    preg_replace('#/{2,}#''/'$path);

    PHP Code:
    include path_jailed($_GET['include'], '/app/webroot'); 

  7. #7
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by joebert View Post
    What about running any paths containing data from the user through this ?

    PHP Code:
    function path_jailed($path$jail '.')
    {
        
    $path sprintf("$jail/%s"preg_replace('#^[A-Z]+:|\\+|\.+/#i''/'$path));
        return 
    preg_replace('#/{2,}#''/'$path);

    PHP Code:
    include path_jailed($_GET['include'], '/app/webroot'); 
    Or you can just apply "realpath" and get to the same place.

    PHP Code:
    $safe preg_replace'~[\\\\/]+~''/'dirname__FILE__ ) . '/' );
    $user preg_replace'~[\\\\/]+~''/'realpath$_GET['path'] ) . '/' );

    if ( 
    strpos$user$safe ) !== ) {
        exit( 
    'Bad path!' );

    Don't even attempt to fix the path, disregard it completely!
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  8. #8
    Floridiot joebert's Avatar
    Join Date
    Mar 2004
    Location
    Kenneth City, FL
    Posts
    823
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That jails you to the application directory regardless though, doesn't it ?
    What if you have multiple sites using the same includes ?

  9. #9
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by joebert View Post
    That jails you to the application directory regardless though, doesn't it ?
    What if you have multiple sites using the same includes ?
    If the path goes outside of the desired location, or goes to a location that doesn't exists. That would tell me that someone is trying to hack into the system, and/or find an exploit. The common user is not going to forge paths.

    And I'm not sure what "...multiple sites using the same includes..." is suppose to mean in this context.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  10. #10
    Floridiot joebert's Avatar
    Join Date
    Mar 2004
    Location
    Kenneth City, FL
    Posts
    823
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Assume you have a server with the following paths on the filesystem.

    /www/domain-one.com/
    /www/domain-two.com/
    /www/common/

    The first path is the DocumentRoot for an Apache virtual host named "domain-one.com", the second path is a DocumentRoot for "domain-two.com", and the third path is a set of common includes accessible by both sites so the administrator doesn't need to maintain two sets of includes for the two sites.

  11. #11
    SitePoint Zealot
    Join Date
    Mar 2008
    Location
    Asheville, NC
    Posts
    183
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yeah that was a bad idea to start with.

    I now got another solution figured out that doesn't affect security.

    even though the path jail might work, it it's bad then better not have code like that at all.



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •